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DETAILED ACTION 

1. Applicant's submission for RCE filed on Sep. 11, 2007 has been entered. Claims 
1-6, 8-13, 15, 16 are pending. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

2. Claims 1-6, 8-13 and 15 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

Claim 9 recites "A firewallA/PN integrated circuit comprising: a router core ; a 

firewall system, comprises a first layer...., a second layer ; a VPN configured to 

provide security function ; an interface configured to determine ". In accordance 

with page 1 lines 15-19, page 3 lines 10-14 of applicant's specification, firewallA/PN 
portion are not limited to hardware (i.e. software modules). As such, the claimed system 
must include hardware necessary to realize any of the functionality of the claimed 
modules and produce a useful, concrete and tangible result. Absent recitation of such 
hardware or physical transformation as part of the claimed system, it is considered non- 
statutory. 

Claims 10-13, 15 depend on claim 9, therefore they are rejected with the same rationale 
applied against claim 9 above. 
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Claim 1 has limitation that are similar to those of claim 9, thus it is rejected with 
the same rationale applied against claim 9 above. Claims 2-6, 8 depend on claim 1, 
therefore they are rejected with the same rationale applied against claim 1 above. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-3, 9 and 10 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vairavan (US Pub. No. 2002/0083344) in view of Hui et al (US Pub. No. 
2004/0010712) in view of Canion et al (US Patent No. 2002/0108059) in view of 
Foschiano et al (US Pub. No. 2004/0022253) and in view of Yang et al (US Patent No. 
7,003,118). 

As per claim 1 , Vairavan discloses: 

at least one wide area network (WAN); at least one local area network (LAN) [Fig. 1, 
paragraph 0047, 0048]; and an integrated firewallA/PN chipset configured to send and 
receive data packets between said WAN and said LAN [Fig. 1, component 110]. 
Further, Vairavan teaches filtering techniques within different firewall layers [paragraph 
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0086, 0087 - i.e. a firewall comprising multiple layers], a first layer including a header 
match packet filtering engine configured to provide pattern matching in selected 
headers of data, a second layer including a content match packet filtering engine 
configured to analyze the scope of at least one data packet [paragraph 0074-0079, 
0086, 0088, 0137 lines 1-3]. 

Hui teaches a firewall which provides packet filtering function along with application 
proxy function (i.e. a third layer), a third layer including at lest one application proxy 
configured to provide additional pattern matching [paragraph 0220]. Further, Hui 
teaches a listening table which stores a TCP/UDP connection setup in a look-up-table 
[paragraph 0070, 0149] and to forward the setup progress to said CPU for tracking 
[paragraph 0070, 0084, 0090, 0105]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Hui with Vairavan, since one would have been 
motivated to improve speed/security for firewall and speed for VPN [Hui, paragraph 
0009]. 

Canion teaches a fourth layer including a session match engine configured to store a 
TCP/UDP connection setup in a look-up-table and to forward the setup progress to said 
CPU for tracking [paragraph 0067, 0068, 0072]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Canion with Vairavan and Hui, since one would 
have been motivated to examine the packet for security violation to distinguish real 
requests from attack based requests [Canion, paragraph 0009]. 



Application/Control Number: Page 5 

10/658,561 

Art Unit: 2135 

Foschiano teaches hardware engine to provide pre-analysis processing to reduce the 

workload of a central processing unit (CPU) [paragraph 0060, 0042]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 

the invention was made to combine Foschiano with Vairavan, Hui and Canion, since 

one would have been motivated to prevent overload of the inspection engine 

[Foschiano, paragraph 0042]. 

Further, Vairavan discloses: 

a VPN configured to provide security functions for data between said LAN and said 
WAN, wherein said security functions are selected from the group consisting of 
encryption, decryption, encapsulation, and decapsulation of said data packets 
[paragraph 0109, 0112]; an interface configured to determined if said data packets are 
plain text or cipher text, said interface further configured to forward a preselected 
number of bytes to said firewall if said data packet are plain text, said interface further 
configured to forwarded said data packets to said VPN if said data packets are cipher 
text [Fig. 6A, 7, 8, paragraph 0132]. Further, Vairavan teaches a VPN processor 
configured to decrypt and decapsulate said at least one data packet, said VPN further 
includes an inbound security database having database of tunnels configured to provide 
VPN processor with tunnel information used to decrypt and decapsulate said at least 
one data packet, said VPN further including protocol instructions having macrocodes 
configured to instruct said VPN processor to decrypt and decapsulate said at least one 
data packet according to a user-defined security procedure [paragraph 0080-0085, 
0091-0101], 
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Yang teaches: the VPN including a VPN packet buffer configured to receive at least one 
of said data packets and to forward said at least one data packet to an inbound VPN 
processor to decrypt and decapsulate said at least one data packet, said VPN further 
including an inbound security database having a database of tunnels configured to 
provide VPN processor with tunnel information used to decrypt and decapsulate said at 
least one data packet [Fig. 5, 6, col. 8 lines 8-67, col. 9 lines 1-18]. 
Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Yang with Vairavan, Hui, Canion and Foschiano, 
since one would have been motivated to increase the speed for the network security 
operation related to IPSEC and Authentication Headers [Yang, col. 1 lines 19-21]. 

As per claim 2 . the rejection of claim 1 is incorporated and Vairavan discloses: 

said chipset further comprises a router adapted to route data between said WAN and 

said LAN [Fig. 1,2, paragraph 0058, 0122, 0139 lines 1-4]. 

As per claim 3 , the rejection of claim 1 is incorporated and Vairavan teaches said- 
firewall is configured to provide static and/or dynamic data packet filtering (i.e. based on 
filtering rules/policy) [paragraph 0074]. 

As per claim 9 . it encompasses limitations that are similar to limitations of claims 1 and 
2. Thus, it is rejected with the same rationale applied against claims 1 and 2 above. 
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As per claim 10 , the rejection of claim 9 is incorporated and it encompasses limitations 
that are similar to limitations of claim 3. Thus, it is rejected for the same reason set forth 
in the rejection of claim 3 above. 

4. Claims 4 and 11 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vairavan (US Pub. No. 2002/0083344) in view of Hui et al (US Pub. No. 2004/0010712) 
in view of Canion et al (US Patent No. 2002/0108059) in view of Foschiano et al (US 
Pub. No. 2004/0022253) and in view of Yang et al (US Patent No. 7,003,118) and in 
view of Lee (US Patent No. 7,047,561). 

As per claim 4 , the rejection of claim 1 is incorporated and Lee teaches said header 
match packet filtering engine is configured to provide pattern matching in selected 
headers of said data and their combination from L2, L3 and L4 headers [Fig. 5]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Lee with Vairavan, Hui, Canion, Foschiano and 
Yang, since one would have been motivated to provide the necessary speed/security for 
real-time Internet applications [Lee, col. 2 lines 15-17]. 
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As per claim 1 1 , the rejection of claim 10 is incorporated and it encompasses limitations 
that are similar to limitations of claim 4. Thus, it is rejected for the same reason set forth 
in the rejection of claim 4 above. 

5. Claims 5, 6, 12 and 13 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Vairavan (US Pub. No. 2002/0083344) in view of Hui et al (US Pub. 
No. 2004/0010712) in view of Canion et al (US Patent No. 2002/0108059) in view of 
Foschiano et al (US Pub. No. 2004/0022253) in view of Yang et al (US Patent No. 
7,003,1 18) and in view of Krishna et al (US Patent No. 6,477,646). 

As per claim 5 . the rejection of claim 1 is incorporated and Vairavan discloses the 
chipset further configured to analyze access control functions [0086, 0132]. 
Krishna teaches a security chip to incorporate both encryption and authentication * 
functionality in a signal chip [Fig. 2, 4]. Further, Kim teaches processing the packet 
based on preselected bytes of the data packet [col. 3 lines 64-67, col. 4 lines 1-2, col. 5 
lines 38-50]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Krishna with Vairavan, Hui, Canion, Foschiano and 
Yang, since one would have been motivated to improve the performance improvement 
[Krishna, col. 2 lines 26-27]. 

As per claim 6 , the rejection of claim 5 is incorporated and Krishna teaches: 
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said preselected bytes comprise the first 144 bytes of said data packet [col. 4 lines 1-2, 
col. 6 lines 28-32]. 

As per claim 12 , the rejection of claim 9 is incorporated and it encompasses limitations 
that are similar to limitations of claim 5. Thus, it is rejected for the same reason set forth 
in the rejection of claim 5 above. 

As per claim 13 , the rejection of claim 12 is incorporated and it encompasses limitations 
that are similar to limitations of claim 6. Thus, it is rejected for the same reason set forth 
in the rejection of claim 6 above. 

6. Claims 8, 15 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vairavan (US Pub. No. 2002/0083344) in view of Hui et al (US Pub. No. 
2004/0010712) in view of Canion et al (US Patent No. 2002/0108059) in view of 
Foschiano et al (US Pub. No. 2004/0022253) and in view of Yang et al (US Patent No. 
7,003,118) and in view of Osborne etal (US Patent No. 6,687833). 

As per claim 16 , Vairavan discloses: 

filtering techniques within different firewall layers [paragraph 0086, 0087 - i.e. a firewall 
comprising multiple layers], a first layer including a header match packet filtering engine, 
a second layer including a content match packet filtering engine configured to analyze 
the scope of at least one data packet [paragraph 0074, 0086, 0088, 0137 lines 1-3]. 
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Further, Vairavan discloses: 

a VPN configured to provide security functions for data between said LAN and said 
WAN, wherein said security functions are selected from the group consisting of 
encryption, decryption, encapsulation, and decapsulation of said data packets 
[paragraph 0109, 0112]; an interface configured to determined if said data packets are 
plain text or cipher text, said interface further configured to forward a preselected 
number of bytes to said firewall if said data packet are plain text, said interface further 
configured to forwarded said data packets to said VPN if said data packets are cipher 
text [Fig. 6A, 7, 8, paragraph 0132]. Further, Vairavan teaches a VPN processor 
configured to decrypt and decapsulate said at least one data packet, said VPN further 
includes an inbound security database having database of tunnels configured to provide 
VPN processor with tunnel information used to decrypt and decapsulate said at least 
one data packet, said VPN further including protocol instructions having macrocodes 
configured to instruct said VPN processor to decrypt and decapsulate said at least one 
data packet according to a user-defined security procedure [paragraph 0080-0085, 
0091-0101]. 

Hui teaches a firewall which provides packet filtering function along with application 
proxy function (i.e. a third layer), a third layer including at lest one application proxy 
configured to provide additional pattern matching [paragraph 0220]. Further, Hui 
teaches a listening table which stores a TCP/UDP connection setup [paragraph 0070, 
0149] and to forward the setup progress to a central processing unit (CPU) for tracking 
[paragraph 0070, 0084, 0090, 105]. 
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Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Hui with Vairavan, since one would have been 
motivated to improve speed/security for firewall and speed for VPN [Hui, paragraph 
0009]. 

Canion teaches a fourth layer including a session match engine configured to store a 
TCP/UDP connection setup and to forward the setup progress to a central processing 
unit (CPU) for tracking [paragraph 0067, 0068, 0072]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 

the invention was made to combine Canion with Vairavan and Hui, since one would 

have been motivated to examine the packet for security violation to distinguish real 

requests from attack based requests [Canion, paragraph 0009]. 

Foschiano teaches hardware engine to provide pre-analysis processing to reduce the 

workload of a central processing unit (CPU) [paragraph 0060, 0042]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 

the invention was made to combine Foschiano with Vairavan, Hui and Canion, since 

one would have been motivated to prevent overload of the inspection engine 

[Foschiano, paragraph 0042]. 

Yang teaches: the VPN including a VPN packet buffer configured to receive at least one 
of said data packets and to forward said at least one data packet to an inbound VPN 
processor to decrypt and decapsulate said at least one data packet, said VPN further 
including an inbound security database having a database of tunnels configured to 
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provide VPN processor with tunnel information used to decrypt and decapsulate said at 
least one data packet [Fig. 5, 6, col. 8 lines 8-67, col. 9 lines 1-18]. 
Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Yang with Vairavan, Hui, Canion and Foschiano, 
since one would have been motivated to increase the speed for the network security 
operation related to IPSEC and Authentication Headers [Yang, col. 1 lines 19-21]. 
Osborne teaches: defining one or more access control protocols [Fig. 3, col. 5 lines 27- 
65]; receiving a data packet [Fig. 2]; selecting a certain number of bytes of said data 
packet; processing said selected bytes using said access control protocols [Fig. 8, 9 col. 
6 lines 60-67, col. 7 lines 6-21]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Osborne with Vairavan, Hui, Canion and Yang, 
since one would have been motivated to provide network security system capable of 
diverting and tracking potential attacks [Osborne, col. 2 lines 12-13]. 

As per claim 8 , the rejection of claim 1 is incorporated and Vairavan teaches said 
firewall further includes access control modules [Fig. 4, 5]. 

Osborne teaches access control function comprising user-defined access control 
protocols [Fig. 2, 3]. 
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As per claim 15 . the rejection of claim 9 is incorporated and it encompasses limitations 
that are similar to limitations of claim 8. Thus, it is rejected for the same reason set forth • 
in the rejection of claim 8 above. 



Response to Amendment 

7. Applicant has amended claims 1, 9 and 16 which necessitated new ground of 
rejection. See rejection above. 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Nirav Patel whose telephone number is 571-272-5936. 
The examiner can normally be reached on 8 am - 4:30 pm (M-F). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
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Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

NBP 

12/19/07 / 



